From 8de46eac65deb33cd91fa242fb89fb59dc3cac42 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 13 Sep 2012 17:12:24 -0700 Subject: Add 'bool use_privs' to smbd_calculate_access_mask(). Replaces blanket root allow if set. Set to 'false' for all current callers. Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Sat Sep 15 00:37:49 CEST 2012 on sn-devel-104 --- source3/smbd/fake_file.c | 2 +- source3/smbd/globals.h | 1 + source3/smbd/open.c | 11 +++++++---- source3/smbd/smb2_create.c | 1 + 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/source3/smbd/fake_file.c b/source3/smbd/fake_file.c index d052d4965d..3f9e2aec05 100644 --- a/source3/smbd/fake_file.c +++ b/source3/smbd/fake_file.c @@ -129,7 +129,7 @@ NTSTATUS open_fake_file(struct smb_request *req, connection_struct *conn, files_struct *fsp = NULL; NTSTATUS status; - status = smbd_calculate_access_mask(conn, smb_fname, + status = smbd_calculate_access_mask(conn, smb_fname, false, access_mask, &access_mask); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("open_fake_file: smbd_calculate_access_mask " diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 566f04d71f..74e42c77af 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -202,6 +202,7 @@ bool smbd_dirptr_lanman2_entry(TALLOC_CTX *ctx, NTSTATUS smbd_calculate_access_mask(connection_struct *conn, const struct smb_filename *smb_fname, + bool use_privs, uint32_t access_mask, uint32_t *access_mask_out); diff --git a/source3/smbd/open.c b/source3/smbd/open.c index b0303f8196..b67c045e34 100644 --- a/source3/smbd/open.c +++ b/source3/smbd/open.c @@ -1662,13 +1662,14 @@ static void schedule_async_open(struct timeval request_time, static NTSTATUS smbd_calculate_maximum_allowed_access( connection_struct *conn, const struct smb_filename *smb_fname, + bool use_privs, uint32_t *p_access_mask) { struct security_descriptor *sd; uint32_t access_granted; NTSTATUS status; - if (get_current_uid(conn) == (uid_t)0) { + if (!use_privs && (get_current_uid(conn) == (uid_t)0)) { *p_access_mask |= FILE_GENERIC_ALL; return NT_STATUS_OK; } @@ -1698,7 +1699,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( */ status = se_file_access_check(sd, get_current_nttok(conn), - false, + use_privs, (*p_access_mask & ~FILE_READ_ATTRIBUTES), &access_granted); @@ -1716,6 +1717,7 @@ static NTSTATUS smbd_calculate_maximum_allowed_access( NTSTATUS smbd_calculate_access_mask(connection_struct *conn, const struct smb_filename *smb_fname, + bool use_privs, uint32_t access_mask, uint32_t *access_mask_out) { @@ -1733,7 +1735,7 @@ NTSTATUS smbd_calculate_access_mask(connection_struct *conn, if (access_mask & MAXIMUM_ALLOWED_ACCESS) { status = smbd_calculate_maximum_allowed_access( - conn, smb_fname, &access_mask); + conn, smb_fname, use_privs, &access_mask); if (!NT_STATUS_IS_OK(status)) { return status; @@ -2085,6 +2087,7 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, } status = smbd_calculate_access_mask(conn, smb_fname, + false, access_mask, &access_mask); if (!NT_STATUS_IS_OK(status)) { @@ -2922,7 +2925,7 @@ static NTSTATUS open_directory(connection_struct *conn, (unsigned int)create_disposition, (unsigned int)file_attributes)); - status = smbd_calculate_access_mask(conn, smb_dname, + status = smbd_calculate_access_mask(conn, smb_dname, false, access_mask, &access_mask); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("open_directory: smbd_calculate_access_mask " diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c index 331ca49b1b..0d9a146b23 100644 --- a/source3/smbd/smb2_create.c +++ b/source3/smbd/smb2_create.c @@ -932,6 +932,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx, status = smbd_calculate_access_mask(smb1req->conn, result->fsp_name, + false, SEC_FLAG_MAXIMUM_ALLOWED, &max_access_granted); -- cgit